additional section policy

Kevin Darcy kcd at chrysler.com
Wed Jan 22 00:00:55 UTC 2014 

If the names of the referred nameservers are in the domain of the 
referral (e.g. *.example.com nameservers referred for the example.com 
delegation), then it is *mandatory* to fill in the Additional Section 
with the relevant A/AAAA address records, since there is no other way 
for the referral to work (chicken-and-egg problem).

In most other cases, the contents of the Additional Section are 
discretionary; the responding nameserver can fill in whatever it thinks 
is "useful" to the requester. For security reasons, though, the 
requester would be wise to only pay attention to those records in the 
Additional Section that are within the "bailiwick" of the original 
question, otherwise they might accept something untrustworthy into their 
cache (the whole "bailiwick" thing is confusing, but 
http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug 
explains it fairly well).

The decision of what nameserver, among several, gets picked for 
resolving iterative queries for a particular domain, is only 
tangentially related to Additional Section processing, since NS records 
can be fetched or seen in a variety of ways, and they are (as Chris 
responded) selected via an adaptive algorithm based on SRTT (smoothed 
round-trip time). Even that, however, has been proven to be somewhat 
susceptible to attack:

http://securityintelligence.com/subverting-binds-srtt-algorithm-derandomizing-ns-selection/

in order to steer traffic to particular nameservers, for purposes, 
presumably, of DoS or to magnify the effect of a subset of nameservers 
having been compromised.

             - Kevin

On 1/19/2014 10:30 PM, houguanghua wrote:
> Dear all,
>
> Would you please tell me which RFC depicts the policy of 'additional 
> section'? and how bind server deals with 'additional section'?
>
> Sometimes the number of 'additional section' is more than numbe of 
>  'authority section'. I don't know how local bind server will do when 
> receiving  these additional sections.
> Local Bind server may:
>    -- pick one name server randomly
>    -- or use sophisticated policies that "score" name servers and pick 
> more often the ones that replied faster
>
> Which is right?
>
> Thanks!
> Guanghua
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140121/eef748d4/attachment.html>

More information about the bind-users mailing list